Researchers at Check Point have revealed how a sophisticated cybercrime gang managed to trick three UK private equity firms to steal hundreds of thousands of pounds.

The gang, named ‘The Florentine Banker,’ got away with over £500,000 following a complex business email compromise (BEC) attack.

Over several months, the Florentine Banker focused on its targets, manipulating email conversations, registering lookalike web domains, and cashing out wire transfers in phases. All in all, four separate bank transactions attempted to transfer £1.1M to unrecognized bank accounts.

Emergency intervention by Check Point enabled the recovery of £570,000 of the transferred cash, leaving the rest as permanently lost funds. Check Point researchers also uncovered a number of purchased domains unrelated to the target mentioned, indicating that there are potentially more targets in the cybercrime gang’s lineup.

The attacks began by setting up a targeted phishing campaign against key people inside the victim companies, often CEOs and CFOs or those in charge of money transactions. In this case, the first phishing emails targeted only two people, of which one provided their Office 365 email credentials. The phishing attacks then continued, persisting for weeks using alternating methods, occasionally adding new individuals to the list of targets until the attackers could gain a panoramic view of the financial picture of the company.

In the case of the three private equity funds, a total of seven different domains were used by the attackers; either lookalike domains, or a website to serve the phishing pages. Check Point also found 39 additional lookalike domains registered throughout 2018 and 2020, clearly trying to masquerade as a variety of legitimate businesses which may have been targeted by the Florentine Banker as well.

Check Point’s manager of threat intelligence, Lotem Finkelsteen says, “These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses. I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”

In order to guard against this kind of attack businesses are advised to incorporate email security, educate employees about phishing and other threats, add additional verification on wire transfers. If a similar breach has been detected in an organization, business partners should be notified as well — any delay in notification only works for the benefit of the attacker.